SANS ISC InfoSec Forums

Do you know the amount of Tor traffic hitting your network? Do you know what people are doing from this anonymized network? Most IDS solutions have built-in rules to report traffic generated from/to Tor exit nodes. This is a common event triggered by rules like this one (from the Emerging Threats feed):

This is very interesting to know when some traffic is coming (or leaving) your infrastructure from the Tor network. Tor traffic can be completely legit (more and more people take care of their privacy) but it can also be a sign of reconnaissance or ongoing attack from bad guys. IDS are usually deployed behind firewalls (internal side) and do not see the traffic dropped by the firewall. The dropped traffic has a real value from a security point of view. If most “next-generation” firewalls are able to detect Tor traffic, they do not report the traffic from/to Tor exit nodes by default. I was curious to know how my own infrastructure was reached by such hosts. It means many public resources, servers, VPS and my home network. How to achieve this? I performed this with Splunk but the same is easily doable within other log management solutions like the ELK stack or SIEM products.

Note: I add a second field “desc” with a default value “TorExitNode” to be able to perform the lookup in Splunk.

The next step is to configure Splunk and create a lookup table to search for IP addresses from the CSV files. With the huge amount of IP addresses in the CSV, I decided to use a KV (keyword-value lookup table) to speed up searches. Have a look at the Splunk documentation for details. Now we can use the lookup table and start searching for Tor exit nodes which hit my firewalls. This is achieve using the following query:

Based on the graph, we can see that the traffic is mainly reconnaissance: ssh ports / telnet and web services. A special mention for VNC (5900) and SIP (5060)!

Finally, we can get info about a specific protocol (ex: HTTP). Here we see all HTTP errors (code > 200):

You can imagine plenty of useful queries to get extra values from your logs. If your web server is scanned, something weird may occur but it it's performed from Tor, you can increase the incident level.